Recently, emails sent from my Postfix mail server to my Gmail account were getting tagged as ‘insecure’. Come to find out, they were no longer sending with TLS. They were defaulting back to open SMTP over port 25. Why? Because Debian’s ca-certificates.crt had updated and that removed the CA needed to make my site’s certificate valid – and I use that same certificate to encrypt my TLS SMTP traffic.
First, to diagnose the problem, I forced TLS in my main.cf and turned on TLS logging with the following settings:
I then restarted Postfix with:
sudo service postfix restart
After restarting, Postfix provides the following error in its logs when attempting to send email:
TLS is required, but our TLS engine is unavailable
Earlier in the log file, it indicates a failure to load the CA file that validates the cert and key files. So, here’s the solution:
- Make sure your cert and CA files are located in /etc/ssl/certs
- Run the following command: sudo update-ca-certificates –fresh
- Then go to your Postfix main.cf and verify the following lines are there (and comment out any conflicting lines):
smtpd_use_tls=yes smtp_use_tls=yes smtpd_tls_CAfile=/etc/ssl/certs/ca-certificates.crt smtpd_tls_cert_file=/etc/ssl/certs/YOUR_CERT.crt smtpd_tls_key_file=/etc/ssl/YOUR_PRIVATE_KEY.key smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt smtp_tls_key_file=/etc/ssl/YOUR_PRIVATE_KEY.key smtp_tls_cert_file=/etc/ssl/certs/YOUR_CERT.crt smtpd_tls_security_level=encrypt smtp_tls_security_level=encrypt
- Restart the Postfix service again.
- Send an email to an @gmail.com address – you should no longer see the unlocked icon under the sender information.